apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  hostNetwork: true
  containers :
  - name: kube-apiserver
#  gcr.io/google_containers/kube-apiserver-amd64:v1.10.0
    image: mirrorgooglecontainers/kube-apiserver-amd64:v1.10.0
    command:
      - kube-apiserver
      - --v=0
      - --logtostderr=true
      - --allow-privileged=true
      - --bind-address=0.0.0.0
      - --secure-port=5443
      - --insecure-port=0
      - --advertise-address={{ VIP }}
      - --service-cluster-ip-range={{ ServiceClusterIPRange }}
      - --service-node-port-range={{ ServiceNodePortRange }}
      - --etcd-servers={% for host in groups['Master'] %}https://{{ hostvars[host].ansible_default_ipv4.address }}:{{ ETCD_PORT }}{% if not loop.last %},{% endif %}{% endfor %}

      - --etcd-cafile={{ etcd_ssl_path }}/{{ etcd_ca }}.pem
      - --etcd-certfile={{ etcd_ssl_path }}/etcd.pem
      - --etcd-keyfile={{ etcd_ssl_path }}/etcd-key.pem
      - --client-ca-file={{ kubernetes_pki }}/{{ ca }}.pem
      - --tls-cert-file={{ kubernetes_pki }}/apiserver.pem
      - --tls-private-key-file={{ kubernetes_pki }}/apiserver-key.pem
      - --kubelet-client-certificate={{ kubernetes_pki }}/apiserver.pem
      - --kubelet-client-key={{ kubernetes_pki }}/apiserver-key.pem
      - --service-account-key-file={{ kubernetes_pki }}/sa.pub
      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      - --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
      - --authorization-mode=Node,RBAC
      - --enable-bootstrap-token-auth=true
      - --requestheader-client-ca-file={{ kubernetes_pki }}/front-proxy-ca.pem
      - --proxy-client-cert-file={{ kubernetes_pki }}/front-proxy-client.pem
      - --proxy-client-key-file={{ kubernetes_pki }}/front-proxy-client-key.pem
      - --requestheader-allowed-names=aggregator
      - --requestheader-group-headers=X-Remote-Group
      - --requestheader-extra-headers-prefix=X-Remote-Extra-
      - --requestheader-username-headers=X-Remote-User
      - --audit-log-maxage=30
      - --audit-log-maxbackup=3
      - --audit-log-maxsize=100
      - --audit-log-path={{ kubernetes_log }}/audit.log
      - --audit-policy-file={{ kubernetes_path }}/{{ audit_policy_yml }}
      - --experimental-encryption-provider-config={{ kubernetes_path }}/{{ encryption_yml }}
      - --event-ttl=1h
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: {{ kubernetes_log }}
      name: k8s-audit-log
    - mountPath: {{ kubernetes_pki }}
      name: k8s-certs
      readOnly: true
    - mountPath: {{ ca_certs_path }}
      name: ca-certs
      readOnly: true
    - mountPath: {{ kubernetes_path }}/{{ encryption_yml }}
      name: encryption-config
      readOnly: true
    - mountPath: {{ kubernetes_path }}/{{ audit_policy_yml }}
      name: audit-config
      readOnly: true
    - mountPath: {{ etcd_ssl_path }}
      name: etcd-ca-certs
      readOnly: true
  volumes:
  - hostPath:
      path: {{ kubernetes_log }}
      type: DirectoryOrCreate
    name: k8s-audit-log
  - hostPath:
      path: {{ kubernetes_pki }}
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: {{ kubernetes_path }}/{{ encryption_yml }}
      type: FileOrCreate
    name: encryption-config
  - hostPath:
      path: {{ kubernetes_path }}/{{ audit_policy_yml }}
      type: FileOrCreate
    name: audit-config
  - hostPath:
      path: {{ ca_certs_path }}
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: {{ etcd_ssl_path }}
      type: DirectoryOrCreate
    name: etcd-ca-certs
